I have a single exe installer which I've built using InstallShield 2008 and signed with a code signing certificate using the integrated code signing features of InstallShield 2008 on a WinXp PC with IE7.
During the build process the log indicates that the signing of the both the msi file and setup.exe and my application.exe were successful.
The signature used is valid for code signing, and if I check the signatures on the development PC they all report "ok". If I move the setup.exe to another computer, the signature reports "not ok" "This certificate is not valid for the requested usage" or something like that (translated). The same is the case for my app.exe after install.
Do I need to install more signatures (root certificates or other) on the destination PC or does anyone know what else may be wrong?
I'm not certain from the description, as I've not run into this exact behavior and I'm no expert, but here are some things you can check. Open up the properties for the certificate you are using and view its whole chain up to the root certificate. Then, on the computer where it fails, look for the same set (perhaps by looking at the certificate properties, perhaps by opening the certificate store from Internet Options).
If the root certificate is missing from the second machine, that means the certificate won't be trusted. If it's part of a chain three or longer and a certificate in the middle is missing, that generally causes the same problem. Either of these can be resolved on that machine by installing the missing certificate(s). But unless you want your customers to have to install them as well, you'll have to figure out why they're not present. Was this one computer out of date, or is the certificate itself just not from a known CA, and proceed accordingly.
Unfortunately, this doesn't help me. If I look at the certificate chain, my certificate only has one parent certificate, the root certificate from TDC OCES CA, which is the supplier of my certificate. This root certificate also exists on the other computer, and is valid. The only difference I can see is that on the other computer my certificate reports that it is not valid for the requested usage. I can see on the properties on my certificate on the computer where my certificate works, that it is valid for code signing, and that is what I am using it for. If I look at the advanced properties of the certificate, the Counter-Signature is listed under non-approved properties, but this is also the case on the machine where it works. If I look at he properties of the counter-signature, this reports ok and has no non-approved properties.
I hope that you or someone else can figure out what is wrong with this signature
Just another thing. I tried uploading the signed setup.exe to my web site and simulated a download/install. On the computer where it was created (where the digital signature is installed) it was correctly reporting me as the supplier, and on the other computer, it reported "unknown supplier"
The last behavior description doesn't surprise me, as when a signature is considered invalid, dialogs presented to the user will be similar to if the signature is not even present. Unfortunately I don't know enough about certificate usage limitations (code signing vs. other) to be of any help. Perhaps you can talk to your certificate vendor to clarify if your certificate is of the right type?
Actually, it wasn't. Even though "code signing" was checked in the certificate's advanced properties. I've now purchased another certificate from VeriSign, and suspect this will solve the problem.
